Well, they can spam the recipient mentioned in the form (that is, whoever is referred to with '12345'). Now, if there's just a few of those 'keys', no spammer will bother. But if you have thousands of people in your database, and the keys can be easily guessed (for instance, because you use consecutive numbers), a spammer can use the form by just guessing keys.

Abigail